[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security: install 5.93/5.97 ignores --mode on existing dirs if no le
From: |
Eric Blake |
Subject: |
Re: security: install 5.93/5.97 ignores --mode on existing dirs if no leading 4th byte |
Date: |
Tue, 01 May 2007 18:29:56 -0600 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.5.666 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to Marc MERLIN on 5/1/2007 12:17 PM:
> Incorrect/Insecure behaviour with install 5.93 or 5.97:
>
> As you can see, the newer install refuses to reset permissions unless
> there is some leading byte.
Consider upgrading. The latest stable version is 6.9, and there have been
intentional changes in this area. Quoting from NEWS:
* Major changes in release 6.0 (2006-08-15) [unstable]
chmod, install, and mkdir now preserve a directory's set-user-ID and
set-group-ID bits unless you explicitly request otherwise. E.g.,
`chmod 755 DIR' and `chmod u=rwx,go=rx DIR' now preserve DIR's
set-user-ID and set-group-ID bits instead of clearing them, and
similarly for `mkdir -m 755 DIR' and `mkdir -m u=rwx,go=rx DIR'. To
clear the bits, mention them explicitly in a symbolic mode, e.g.,
`mkdir -m u=rwx,go=rx,-s DIR'. To set them, mention them explicitly
in either a symbolic or a numeric mode, e.g., `mkdir -m 2755 DIR',
`mkdir -m u=rwx,go=rx,g+s' DIR. This change is for convenience on
systems where these bits inherit from parents. Unfortunately other
operating systems are not consistent here, and portable scripts
cannot assume the bits are set, cleared, or preserved, even when the
bits are explicitly mentioned. For example, OpenBSD 3.9 `mkdir -m
777 D' preserves D's setgid bit but `chmod 777 D' clears it.
Conversely, Solaris 10 `mkdir -m 777 D', `mkdir -m g-s D', and
`chmod 0777 D' all preserve D's setgid bit, and you must use
something like `chmod g-s D' to clear it.
- --
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGN9uE84KuGfSFAYARAswHAJ9sJ8khQwHkIDqRwub4L1vXLY3JMwCggLPI
M9jP+I/tibOyaZja+wQbhpI=
=7+gu
-----END PGP SIGNATURE-----